trbac: a temporal role-based access control model
DESCRIPTION
TRBAC: A Temporal Role-Based Access Control Model. Elisa Bertino CERIAS and CS Department Purdue University. What is TRBAC?. RBAC Model [Sandhu 98]. Temporal constraints on role activations/deactivations. What is TRBAC?. - PowerPoint PPT PresentationTRANSCRIPT
TRBAC: A Temporal Role-TRBAC: A Temporal Role-Based Access Control ModelBased Access Control Model
Elisa Bertino
CERIAS and CS Department
Purdue University
Purdue UniversityElisa Bertino
What is TRBAC?What is TRBAC?
RBAC Model [Sandhu 98]
Temporal constraints on role activations/deactivations
Purdue UniversityElisa Bertino
What is TRBAC?What is TRBAC?
An active role is a role that a user can activate during a session (that is,the user can acquire the role’s)
A role can be active in certain time periods and non active in other:Role activation: non active activeRole deactivation: active non active
Purdue UniversityElisa Bertino
Why TRBAC?Why TRBAC?
Often roles are characterized by a temporal dimension :Job functions may have limited or periodic
time durationThere may be activation dependencies
among roles
Purdue UniversityElisa Bertino
TRBAC: Main FeaturesTRBAC: Main Features
Periodic activations/deactivations of roles
Temporal dependencies among role activations/deactivations
ROLE TRIGGERS
Purdue UniversityElisa Bertino
TRBAC: Main FeaturesTRBAC: Main Features
Role triggers may cause either:Immediate activations/deactivations, orDeferred activations/deactivations
Run-time requests to dynamically change the status of a role
Purdue UniversityElisa Bertino
TRBAC: Main FeaturesTRBAC: Main Features
Priorities for:Periodic activations/deactivationsRole triggersRunt-time requests
Priorities are used for conflict resolution
Purdue UniversityElisa Bertino
TRBAC: Periodic EventsTRBAC: Periodic Events
Definition: (Periodic Event) A periodic event is a tuple (I,P,p:E) where I is
a time interval, P is a periodic expression, p:E is a prioritized event expression, E {activate R, deactivate R}, RRoles
([7/1/00,12/31/00], night-time, VH: activate, doctor-on-night-duty)
([7/1/00,12/31/00], day-time, VH: deactivate, doctor-on-night-duty)
Purdue UniversityElisa Bertino
TRBAC: Role TriggersTRBAC: Role Triggers
Definition: (Role Trigger) Role triggers are of the form:
E1,…En,C1,…Ck p:E after t where Ei’s are event expressions, Ei
{activate R, deactivate R}, Cj’s are role status expressions, Cj {active R, not active R}, RRoles, p:E is a prioritized event expression and t is a temporal displacement
Purdue UniversityElisa Bertino
Role Triggers: ExampleRole Triggers: Example
activate doctor-on-night-duty VH: activate nurse-on-nigth-duty
activate nurse-on-day-duty H: activate nurse-on-training after 2 Hours
Purdue UniversityElisa Bertino
Role Activation BaseRole Activation Base
([1/1/00,12/31/00], night-time, VH:activate doctor-on-night-duty)
([1/1/00,12/31/00], day-time, VH:deactivate doctor-on-night-duty)
([1/1/00,12/31/00], day-time, VH:activate doctor-on-day-duty)
([1/1/00,12/31/00], night-time, VH:deactivate doctor-on-day-duty)
activate doctor-on-night-duty H: activate nurse-on-nigth-duty
deactivate doctor-on-night-duty H: deactivate nurse-on-nigth-duty
activate doctor-on-day-duty H: activate nurse-on-day-duty
deactivate doctor-on-day-duty H: deactivate nurse-on-day-duty
activate nurse-on-day-duty H: activate nurse-on-training after 2 Hours
deactivate nurse-on-day-duty VH: deactivate nurse-on-training
RAB = Periodic Events + Role Triggers
Purdue UniversityElisa Bertino
TRBAC: Runtime Request TRBAC: Runtime Request ExpressionsExpressions
Definition: (Runtime Request Expression) A runtime request expression has the form:
p:E after t where p:E is a prioritized event expression and
t is a temporal displacement
deactivate nurse-on-training after 2 Hours
activate emergency-doctor
Purdue UniversityElisa Bertino
TRBAC: Formal AspectsTRBAC: Formal Aspects
The Execution Model of a RAB specifies, for each istant t, the set of events that should occur at time t according to:periodic events & triggers in the RABruntime request expressionspriorities
Purdue UniversityElisa Bertino
TRBAC: Formal AspectsTRBAC: Formal Aspects
Some specifications may yield no execution model, while some ambiguos specifications may admit two or more models activate R deactivate S
activate S deactivate R
Requests: activate R, activate S
Purdue UniversityElisa Bertino
TRBAC: Formal AspectsTRBAC: Formal Aspects
Safeness condition that guarantees that a given RAB has exactly one model
It exploits the notion of dependency graphNo cycles involving conflicting events
Safeness check is polynomial in the RAB dimension
Purdue UniversityElisa Bertino
TRBAC: Architectural AspectsTRBAC: Architectural Aspects
At each time it is necessary to know which are the active roles, on the basis of the RAB and runtime requests
A request by a user to activate a role is authorized if:The user has the authorization to play that
roleThe role is active at the time of the request
Purdue UniversityElisa Bertino
Triggersupport
ActionHandler
DA Handler
RTRHandler
PE Handler
DeferredActions
Triggers
SafenessChecker
runtime requests
triggers
Actions
Active Roles
Events
Periodic events
It is in charge of firing triggers according to their priorities. If the action(s) caused by the trigger(s) are instantaneous, it returns them to the Action Handler. If the actions have to be deferred, it inserts them into Deferred_Actions
A Possible ArchitectureA Possible Architecture
A global event base which records The activations/deactivations of roles
A table which contains the actions to be potentially executed on Active_RolesA table which contains the
specified triggers
It is in charge of managing periodic events and inserting/deleting the corresponding actions into/from table Deferred_Actions
A table which contains an entry for each deferred action
It is activated each time a trigger is inserted/modified to verify whether safeness is preserved
It is activated each time a runtime request is issued. If the request is for an immediate action, it returns the action to the Action_Handler, if it is for a deferred action, it inserts the action into Deferred_Actions
A table which contains theroles that can be activated
It is in charge of executing deferred actions on the basis of the content of table Deferred_Actions
It is in charge of updating table Active_Roles according to the requests of the other modules. It uses table Actions to solve potential conflicts
Purdue UniversityElisa Bertino
Generalized TRBAC (GTRBAC)Generalized TRBAC (GTRBAC)
Motivations:TRBAC does not distinguish between a role
being enabled and a role being activeA role is enabled if the temporal conditions
associated with it are satisfiedA role is active if a user has logged in the
roleOnly enabled roles can be activatedBecause of such limitations, TRBAC cannot
support some forms of constraints, such as the maximum number of activations of a role by a user in a given time interval
Purdue UniversityElisa Bertino
GTRBACGTRBAC
GTRBAC extends TRBAC by introducing temporal conditions on:User-role assignmentsRole-permission assignments
A large number of constraints can thus be supported
Purdue UniversityElisa Bertino
GTRBAC – Examples of GTRBAC – Examples of ConstraintsConstraints
Constraints on the number of concurrent activations“there can be at most 10 users activating
the role DayDoctor at a time” Constraints on the number of total
activations in a given period“the role HeadNurse can be activated at
most 2 times per day”
Purdue UniversityElisa Bertino
X-GTRBAC - MotivationsX-GTRBAC - Motivations
Role Based Access Control Model
Many benefits over traditional access control models when applied to emerging applications
XML is a uniform platform for information interchange
Our GoalXML + RBAC extension
To provide access control framework for Web-Services environments
Purdue UniversityElisa Bertino
X-GTRBAC - why XML?X-GTRBAC - why XML?
XML - main benefits:
Uniform, vendor-neutral representation of enterprise data
Mechanism for interchange of information across heterogeneous systems
Extensible syntax and semantics Widespread support from main platforms and
tool vendors
Purdue UniversityElisa Bertino
X-RBAC LanguageX-RBAC Language
XML User Sheet (XUS) Users
Modeling RBAC Elements
XML Role Sheet (XRS) Roles
XML Permission Sheet (XPS) Permissions
- credential types XML CredType Definition
- separation of duty XML SoD Definition
- temporal constraints XML TempConst Definition
- triggers XML Trigger Definition
Purdue UniversityElisa Bertino
X-RBAC LanguageX-RBAC Language
Policy Administration
XML User-to-Role Assignment Sheet (XURAS)
User-to-Role Assignment
XUS XRS
XURAS
Purdue UniversityElisa Bertino
X-RBAC LanguageX-RBAC Language
Policy Administration
XML Permission-to-Role Assignment Sheet (XPRAS)
Permission-to-Role Assignment
XPS XRS
XPRAS
Purdue UniversityElisa Bertino
XUS GrammarXUS Grammar</XUS> <!-- User Definitions ></XUS>
<!-- User Definitions >::=<Users> {<!-- User Definition>}+</Users>
<!—CredType > ::=<CredType cred_type_id =(id)> <type_name> (name)</type_name> <!-- Credential Expression></CredType>
<!-- User Definition> ::= <User user_id = (id)> <UserName> (name) </UserName> {<!--CredType>}+ <MaxRoles>(number)</MaxRoles></User>
<!-- Credential Expression> ::=<CredExpr> {<(attribute name)> (attribute value) </(attribute name)>}+</CredExpr>
Purdue UniversityElisa Bertino
An XML instance of XUSAn XML instance of XUS<XUS> <User user_id=“j1"> <UserName >John</ UserName > <CredType cred_type_id ="C100"> < type_name >Nurse</type_name> <CredExpr> <age> 30 </age> <field> opthalmology </field> <level> 5 </level> <status> single </status> </CredExpr>
</CredType> < MaxRoles>2</MaxRoles> </User > <User > … </User > ….</XUS>
Purdue UniversityElisa Bertino
XRS GrammarXRS Grammar
<!-- XML Role Sheet> ::=<XRS [xrs_id = (id) ]> {<!-- Role Definitions>}+</XRS>
<!-- Role Definitions> ::=<Roles> <Role role_id = (id) <RoleName> (role name)> <RoleName>
[<!--{En|Dis}abling Constraint>][<!--[De]Activation Constraint>]{<SSDRoleSetID> (id) </SSDRoleSetID>}*{<DSDRoleSetID> (id) </DSDRoleSetID>}*{<Junior> (name) </Junior>}*{<Senior> (name) </Senior>}*[<Cardinality>(number)</Cardinality>]
</Role> <Role> .. </Role> ..<Roles>
Purdue UniversityElisa Bertino
An XML instance of XRSAn XML instance of XRS<XRS> <Roles > <Role role_id = "R100"> <RoleName> Nurse </ RoleName > <Senior> Eye_Doctor </ Senior>
<Cardinality> 8 </ Cardinality > </Role> <Role role_id = "R200"> <RoleName> Eye_Doctor </RoleName> < DSDRoleSetID>DSD1</ DSDRoleSetID >
< Junior>Nurse</ Junior><Senior> Eye_Surgeon </Senior><Cardinality> 6 </Cardinality>
</Role> </Roles></XRS >
Purdue UniversityElisa Bertino
XPS GrammarXPS Grammar
<!-- XML Permission Sheet> ::=<XPS [xps_id = (id) ]> {<!-- Permission Definitions>}+</XPS>
<!-- Permission Definitions> ::=<Permission perm_id = id [prop= (prop op)] > <Object type=(type name) id=(id)/> <Operation> (access op) </Operation></Permission>
Purdue UniversityElisa Bertino
An XML instance of XPSAn XML instance of XPS
<XPS> <Permission perm_id ="P1"> <Object type = “Schema” id = “XS101” />
<Operation> all</operation> </Permission > <Permission perm_id ="P2">
<Object type = “Instance” id = “XI100” /><Operation> all</operation>
</Permission > <Permission perm_id ="P3">
<Object type = “Element” id = “XE100” /><Operation> navigate </operation>
</Permission ></XPS>
Purdue UniversityElisa Bertino
Example of XURASExample of XURAS<XURAS> <URA_id="URA1"> <RoleName> Eye_Doctor</ RoleName> <Users> <User user_id=“s1“ /> <User user_id=“s2“ /> </Users > <CredConditions> <CredCondition> <CredType> Doctor </CredType> <LogicalExpr op="AND"> <Predicate> <operator>eq</operator> <name_param>field</name_param> <value_param> Eye </value_param> </Predicate> <Predicate> <LogicalExpr op="OR">
<Predicate> <operator> lt </operator> <name_param> age </name_param> <value_param> 60 </value_param> </Predicate> <Predicate> <operator> gt </operator> <name_param> level </name_param> <value_param> 7 </value_param> </Predicate> </LogicalExpr> </Predicate> </LogicalExpr > </CredCondition> </CredConditions ></URA> </XURAS>
Purdue UniversityElisa Bertino
Example of XPRASExample of XPRAS
<XPRAS> <PRA pra_id="PRA1"> <RoleName> Nurse </RoleName> <Permissions> <perm_id> P3 </perm_id> </Permissions> </PRA> <PRA pra_id="PRA2"> <RoleName> Eye_Doctor </RoleName> <Permissions> <perm_id> P1 </perm_id> <perm_id> P2 </perm_id> </Permissions> </PRA> </XPRAS>
Purdue UniversityElisa Bertino
X-RBAC System ArchitectureX-RBAC System Architecture
RBAC Module
UR ,PR DataSet {TRIG DataSet}
SessionsDataSet
DOM
XML Parser
XMLSessions
Log
RBAC Processor
X-RBAC Module
Policy Loader
Policy Validation
Module
XML Processor
XML/SOAP
Authorization
Data Item
Functional Module
Legend:XML/SOAP
AccessRequest
Document Composition Module
XML Policy Base
Purdue UniversityElisa Bertino
On-going WorkOn-going Work
Extension of the constraint languageConstraints on the set of roles a user can
activate Obbligations & Duties Development of graphical tools for
TRBAC administration Testing on an Healthcare information
system